Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.Login to AccountCreate an Account

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

svchost.exe virus

PeterEl

Posted 28 August 2012 - 09:14 AM

PeterEl

Newbie

Member

17 posts

Joined 28-August 12

OS:none specified

Country:

Hello anybody!

I found a virus in svchost.exe file that i download from microsoft.com.Tell the order: I went to the website microsoft.com and download the update ServicePack3 for XP windows,then I found file "svchost.ex_" and extract it to a file "svchost.exe",and then I checked this file on VIRUSTOTAL.COM and it found a VIRUS!!! - McAfee-GW-Edition (antivirus program) Heuristic.LooksLike.Win32.Suspicious.I

PeterEl

Posted 28 August 2012 - 10:31 AM

In first place, why would you need to download svchost.exe (your windows OS already have it) ?Also using caps/bold/big font won't help more...

ya, ya ))) I know...

I first began to verify the file that already exists in my windows.When I discovered by the above method a virus in it, I decided to download svchost.exe from microsoft.com - assuming that there will not be a virus. But virus was there, too.

allen2

Posted 28 August 2012 - 11:13 AM

allen2

Not really Newbie

Member

1,814 posts

Joined 13-January 06

Ok, but be careful the official svchost.exe can load virus like conficker as it is only a service hosting functionnality so if you see svchost.exe process downloading doing strange things it could be that the hosted dll is a trojan (like conficker).I take conficker as example, as it is the worse virus created and it is still spreading even though it was "released" in 2008 (Almost 4 years for a virus still spreading is perhaps world record).

submix8c

Posted 28 August 2012 - 11:21 AM

submix8c

Inconceivable!

Patrons

4,544 posts

Joined 14-September 05

OS:none specified

Country:

Yes, it CAN load viruses. SERVICES.EXE can be compromised as well (even worse to root out - look it up). But the OFFICIAL one is NOT a virus. The OP is going totally paranoid with misinformation and misunderstandings (ref: this).

Posted 29 August 2012 - 07:57 AM

I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).

WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).

Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).

YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.

PeterEl

Posted 29 August 2012 - 08:16 AM

I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).

WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).

Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).

YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.

1) Ok. Tell me please, if you get your SVCHOST.EXE file and check it out on VIRUSTOTAL.COM - is there will be virus?2) <<"HashMyFiles" doesn't give SHA256>> It sounds strange... in my HashMyFiles what i downloaded it is got SHA256 if choose VIEW SETTINGS and choose SELECT COLUMNS there will be SHA256. By the way, in "HashMyFiles" that I downloaded VIRUSTOTAL found a virus too!!! but another one.

submix8c

Posted 29 August 2012 - 09:35 AM

submix8c

Inconceivable!

Patrons

4,544 posts

Joined 14-September 05

OS:none specified

Country:

Then your CURRENT one has a Trojan/Virus. the REAL one does not do that.

In fact, your Trojan/Virus may be in your TEMP folder or "Temporary Internet Files" folder and an entry was put in the Registry to cause SVCHOST.EXE (a real one) to "run" the Trojan/Virus. SVCHOST.EXE is a "driver" (if you will) for Services and of itself does NOT do any "connections" - that's left to the "loaded" program. Look that up, my friend.

And if you CONNECT to a website, you will indeed get "connections" shown. I showed that in the other thread about your Router settings.

So... you're telling me the HashMyFiles that YOU UPLOADED to VirusTotal says it's a VIRUS? Are you SERIOUS?

How about that? I have an older version. Thanks for the tip on that.

Oh, and BTW, I do NOT upload files to VirusTotal but I'll be glad to do it if it'll make you happy.
...BWAHAHAH!!!!! Done! Again, McAfee is a POS (look up that acronym)! And I would BET that the Definitions are outdated! DID YOU READ THE MICROSOFT ARTICLE? It SPECIFICALLY names THAT ANTIVIRUS as giving FALSE POSITIVE.

GIVE UP, dude, it's NOT that program if you indeed HAVE a Trojan/Virus! Riddle me this, Batman - How can you explain the EXACT SAME FILE giving TWO DIFFERENT RESULTS for the SAME FILE? (Remember the OTHER link?)

BTW, the SYMPTOMS of the Trojan/Virus is HIGH CPU USAGE for SVCHOST. Do YOU have that symptom? If not, then YOU ARE IN GOOD SHAPE and more than likely "clean"! LOOK THAT UP, dude!

allen2

Posted 29 August 2012 - 09:38 AM

allen2

Not really Newbie

Member

1,814 posts

Joined 13-January 06

You should use tcpview first to know which process(es) (also get the pid to check which user is launching them) are doing those requests.Then depending on the process(es) and/or the user launching them, different solutions may arise.Edit: The pid will help you to find in tasks manager or better in process explorer which user is launching them (you 'll need to add the right columns in view menu).

allen2

Posted 29 August 2012 - 10:58 AM

allen2

Not really Newbie

Member

1,814 posts

Joined 13-January 06

I disagree with you there:
- if you're right, you don't need to be that angry/harsh when you're explaining something. If he doesn't understand, that is either because he need more information or because the problem wasn't explained properly.
- The OP need to learn how to diagnose those problems by himself and if no one explain properly how to do it, he will still have doubt about your (or my ) diagnostic.

Of course the downloaded svchost.exe from SP3 couldn't be virus but that doesn't mean the OP resolved his problem. He is right wanting to understand why and how he got this false positive.
The only way to help him now is to let him learn how monitor its computer tcp connections and how to check which process(es) are using them.
Most likely, there should be a good reason for every connections but knowing the reason will help him understand what is happening there and why. Also that is the only way to reassure him.

allen2

Posted 29 August 2012 - 01:13 PM

I don't know how virustotal works exactly but what i find strange is that it would use virus definitions from 2 years ago (taken from your link):

This issue occurs for version 5958 of the McAfee DAT file. This DAT file was released on April 21, 2010. This DAT file has been superseded by version 5959. Version 5959 which corrects the false-positive detection that is described in the "Summary" section. Additionally, McAfee has released an EXTRA.DAT file that can be used to suppress the false-positive detection of the Svchost.exe process for customers who are running version 5958 of the DAT file.

submix8c

Posted 29 August 2012 - 01:43 PM

submix8c

Inconceivable!

Patrons

4,544 posts

Joined 14-September 05

OS:none specified

Country:

allen2 - This is just to point out the fallacies that McAfee has - even MS has said it goofs. And again, the ONLY one that sees a "problem" with SVCHOST. Coincidence? I think not. Just because SVCHOST runs services doesn't mean it should be flagged as "suspicious". I stated my opinion of McAfee and I stand by it.

If the OP wishes to know "how things work" as opposed to a blatant "MS serves viruses" then they should say so... after an exhaustive internet search doesn't reveal the requested info.

However, in this case, I have suggested TWO very good software to reassure them and Panda has a free HDD scan as well. VirusTotal is not the be-all/end-all.

allen2

Posted 29 August 2012 - 02:58 PM

allen2

Not really Newbie

Member

1,814 posts

Joined 13-January 06

I don't want to discuss further without any solid evidence from the OP but it could happen that a virus running on his computer could have infected the downloaded svchost.exe right after downloading it (i've seen something similar about 10 years ago).Also, just for the record, McAfee isn't the worst antivirus out there and the latest DAT definitions is 6819.Also, i tried uploading the svchost.exe from XP SP3 to virustotal.com (SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5) and indeed it is detected as a virus by McAfee-GW-Edition but isn't detected as a virus by other Antivirus or McAfee "classic".

So this one is most likely a false positive triggered by the heuristic analysis of McAfee GW and that isn't the first (and most likely not the last) time it happens.Also, the MS KB was about McAfee "classic" and not the GW edition and both don't use the same kind of virus definitions (and in this case it isn't even related to a virus definition).

submix8c

Posted 29 August 2012 - 03:47 PM

submix8c

Inconceivable!

Patrons

4,544 posts

Joined 14-September 05

OS:none specified

Country:

SHEESH, dude! Did you even read my posts? I DID THE SAME THING!

As for the OP having a virus, the OP willy-nilly chose his findings from the internet and NEVER said they uploaded ANYTHING (or did I really miss that). Those tools I mention WILL identify an "infected" one and even one RELATED to it (in the TEMP/Temp Inet). I have already done battle with these beasts so am knowledgeable else I wouldn't have suggested the "search", tools, or symptoms. The SERVICES.EXE one is a BEAR to get rid of - and it's not even THAT program that's infected!

And I must point out (re: the MS link) I said "just to point out" that I was, indeed, pointing out "false positives" (repeatedly)!Try google

McAfee-GW-Edition false positive

FAIL!

What part of any of this is not being understand? I thought I was very clear in respect to the original "problem" which somehow transmogrified into Firewall Connections Logs (obviously misunderstanding "how stuff works") that were discussed in the OTHER topic. It appears obvious that the OP is testing out a newly minted install along with a brand spanky new router and firewall and going OMG MS HAS VIRUSES AND AM BEING ATTACKED FROM WITHOUT!

allen2

Posted 30 August 2012 - 12:12 AM

allen2

Not really Newbie

Member

1,814 posts

Joined 13-January 06

and check your own svchost.exe from their computers.and tell me results...

allen2, maybe you do this? please, it's not hard.

I did it and got the same false positive for the downloaded svchost from XP SP3. I did try also with the one from my running OS and this one didn't get the false positive but it is because it is in another language.

PeterEl

Posted 30 August 2012 - 12:24 AM

PeterEl

Newbie

Member

17 posts

Joined 28-August 12

OS:none specified

Country:

and check your own svchost.exe from their computers.and tell me results...

allen2, maybe you do this? please, it's not hard.

I did it and got the same false positive for the downloaded svchost from XP SP3. I did try also with the one from my running OS and this one didn't get the false positive but it is because it is in another language.

Thanks.Another language? what language you downloaded from XP SP3? and what language in your runnig OS?